April 2008 Archives

Security Poetry...

Love the Hoff
You know you want to
    Unconvinced?
His poetry will sway you

I realize that I've been a bit light on infosec subjects lately, so thought that I'd better get back on topic. :) There are three bits out today that I've found particularly interesting.

First, more information has been released by the Payment Card Industry regarding their DSS 6.6 requirement on application security. It's a very insightful read and should help calm the nerves of those doing compliance.

Second, TippingPoint has broken into the Kraken botnet, to the tune of potentially controlling 25,000+ compromised hosts. They're now debating the ethics of using the infection to clean and secure the infected hosts. This issue is not nearly as simple as some might imagine. For one thing, to do so could be illegal. For another, who knows how much liability could be involved, especially when considering the law of unintended consequences.

Third, it's been disclosed that Microsoft has been providing law enforcement with free USB pendrive toolkits for forensics response purposes. It's not clear what all is on these devices, though one might assume many of the SysInternals tools are included (MS bought them a while back). Some have raised questions about the quality of evidence collected using these tools, since many of us doubt that write protection is enabled, etc. These devices appear to be designed for live response and requires physical access to the box. I am curious about how they're bypassing the login screen, where they're capturing data to (is MS playing custodian for network-based data capture?), and what toys they've included. Hopefully there aren't any secret backdoors that will be subsequently exploited. :(

I have a couple fun new big oil conspiracies. The first conspiracy relates to the self-fulfilling prophecy of $4/gal (and maybe $5/gal) gas prices. Sure, it's much less than they pay in Europe, but we're also not paying nearly the same amount on tax as they are. Anyway, my theory on these prices is that big oil is trying to soak us consumers for every last cent possible before Bush leaves office. What do you think? :)

Now for the fun one... Are tax rebates really designed to benefit the big oil companies? Check out the chart below. In it, I have plugged in some relatively average numbers for miles driven per week (miles/wk), average miles per gallon consumer by the average American vehicle (mpg), the gain in prices over a year ago (price delta), the tax rebate for a single person (tax rebate), the calculated additional fuel cost per month based on the price delta (extra fuel cost), and then the number of months that the tax rebate covers that just the additional cost (# mos covered).

Names Can Be Deceiving

One brief observation based on watching the John Adams miniseries... our modern day Republicans should probably be called Federalists (the party of Adams, not Jefferson), whereas the Democrats are descended from Jefferson's original Democratic-Republican Party. However, neither party really seems to be Republican in nature, as Jefferson, I think, would define. Neither party seems to be truly in support of small central government and strong States' rights. The only connection that is really obvious is that the Neoconservative Movement that has steamrolled the GOP (aka the "Republicans") is for a strong federal government, a strong executive branch, and a strong standing military. All of these attributes were shared by the Federalists of Alexander Hamilton.

One thing is clear: both parties probably need to change their names soon to something more accurate, and perhaps more representative of the will of the People. Libertarians haven't been overly successful, nor has the Green Party. Perhaps we'll see a Populist Party rise some day, or maybe even a return of the Democratic-Republican Party as a hybrid of both main parties.

References:
Federalist Party (United States)
Federalists and Anti-Federalists
Democratic-Republican Party
Republican Party (United States)

HBO's "John Adams" Miniseries

| 2 TrackBacks

Due to travels, it's taken me a little extra time to catch up on the last four episodes of HBO's "John Adams" Miniseries (based on the book John Adamsby David McCullough), but I've finally completed the set, and thought I'd take a moment to comment. Overall, I liked the series, though I never full adjusted to Paul Giamatti in the lead role. He seemed to grow into the role eventually (particularly as Adams ages), but in the end, I wasn't fully convinced. That's not to say that I could think of any other actor who might have done a better job.

I truly enjoyed Laura Linney in the role of Abigail Adams. To me, it was refreshing to see her playing a strong, intelligent woman instead of her typical neurotic characters. And, she did a remarkable job. The tale of Abigail Adams is one that should be instructive to everyone, representing how to be general wise and discrete. She also sets what appeared to be an excellent example for a first lady (or first spouse, if you will).

Killing Security, Piece by Piece

Ok, not really, but it's kind of a catchy headline, right? For anyone that caught the RSA Conference (either live or in archive), then you probably picked up on the theme that I've been riding for a few months now: this industry is stagnated and dying. In their keynote, IBM even went so far as to say that the industry has no future. While I think that this is a gross mischaracterization of the situation, it is an interesting stance for a product company to take. RSA Pres Art C said similar things during his keynote, too, but then proceeded to talk about how RSA products would be the solution to the problem (what was the problem again?). Anyway... this week has seen a full surge in this death knell for the industry, though now in the form of dismantling it, piece by piece.

But The Earth Remains Forever...

I've pointed out numerous times the fallacious logic of the current carbon emissions crowd, that the planet is not about to die, just that humans may be impacted. Unfortunately, it's hard to get a word of rational logic heard over the shouting of the generational obsessives who think that global warming==carbon emissions. Now comes news that the planet has already gone through cycles much warmer than this one.

During a warm period some 3.5 million years ago, for instance, the ice sheet may have disappeared completely for around 200,000 years, raising sea levels globally by up to 10 metres.

For the first time, the ANDRILL cores show exactly how ice retreated rapidly and quickly in Antarctica. “That happened at a time when it was three to four degrees warmer than today, owing to atmospheric carbon dioxide concentrations, which we will very likely reach again soon,” says Tim Naish, a project leader at the Institute of Geological and Nuclear Sciences in Lower Hutt, New Zealand.

Well, her royal heinous (er, sorry, highness) has won the Pennsylvania race, and the mass media is tripping all over itself to make her the nomination, in spite of what the majority wants. Nevermind that Obama was 25+ points down just a couple weeks ago, mounting what should be seen as a remarkable comeback in PA of his. But that's not what has me riled... No, instead, it's the bad math.

Based on the results posted at CNN.com, Clinton is said to have won 55% of the vote to Obama's 45%, giving her a 10-point win. This "double-digit" win is being talked about all over the place. Unfortunately, it's a fictitious number based on double-rounding, and it's misleading. I know, I know... quit picking at nits... but it's irksome!

Well, it's that time of year again: Earth Day. This will be my 2nd annual Earth Day post (last year's post is here). For this year, I thought I'd just list a bunch of random stuff that I think may be useful. Mainly, the focus, in my mind, should be in a few key areas: reduce, sustain, prepare. Let me explain what I mean.

Earth Day 2008

Today is Earth Day. As gas prices soar over $4/gal (self-fulfilling prophecy anyone?!?), now would be a good time to renew protests against Big Oil and the Bush administration. Have you called Congress lately? Have you replaced at least one incandescent bulb with a CFL? I'll write more later, but wanted to get everyone off on the right foot. :)

Ok, so, I try not to post anything too off-color here, but this act is just hilarious. It is visually safe for work, but the AUDIO is NOT SAFE FOR WORK. If you don't find off-color humor funny, then please don't watch it. If you're easily offended, then please don't watch it. Otherwise, I hope that you laugh out loud like I did while watching it. An example of one exchange toward the end:

Jeff: "So, do you like being in DC?"
Achmed: "I think some idiots must live here."
Jeff: "Why?"
Achmed: "For example, the Washington Monument..."
Jeff: "Yes?"
Achmed: "...it looks nothing like the guy."

(Click through to see the video.)

If anybody is interested, I've received a pass for a free 30-day membership to one of the clubs in the mysportsclub.com chain, including Washington Sports Club, New York Sports Club, Boston Sports Club, and Philly Sports Club. Though I've cancelled my membership at WSC due to lack of use and inadequate hours, maybe it'll work for you. If you live in the Fairfax, VA, area then I highly recommend getting training sessions with my friend Paul Dz. at the Fairfax WSC. Ping me if you'd like the pass. First-come, first-serve.

Why I Blog

Being sick the past few days, I've had plenty of time to lay around pondering life, the universe, and everything (42!). Well, sort of. At any rate, in my musings, I've been trying to think of a good blog topic, and the idea that has kept coming back to me is that of why I blog. I suppose that there are really only a handful of reasons why people write one of these posts on a reasonably regular basis, but I thought it might be interesting to explore my own thoughts on the matter, since writing has seemed quite natural to me.

I've just finished reading Richard K. Morgan's Broken Angels, the second in his Takeshi Kovacs series of novels (the first being Altered Carbon). Overall, I thought that the book was decent. The basis of the book is that human civilization has made leaps in technology and space travel beyond what is normal by evolutionary standards, likely reaching a point where the technology is too advanced for humans to grasp. This leg-up is granted through the discovery of "Martian" outposts, long since abandoned, though with no clear indication of the circumstances. At one point, Kovacs makes an interesting point, that humans and machines/computers are locked into this evolutionary competition, alternating superiority. At one point in time, AI will provide better and faster analysis, but then bio-engineering will advance and thus make humans the better analysts again. There are certain parallels with humans, at least in the foreseeable future (think IDS, log management, etc.).

If you're into Science Fiction, then this series (thus far) may be of interest to you. Be forewarned that the novels tend to get a bit gory and graphic in certain places. I can only imagine what these novels would look like on the big screen. Suffice to say, though, that if you like the notion that humans are just one of the latest evolved life forms in the universe, then you'll undoubtedly find these books entertaining.

Up next: "Economics and Strategies of Data Security", by Dr. Dan Geer, Jr., Sc.D.

Down...

...DSL to the server, for a good chunk of the day...
...me... with a nasty cold, driven in by a few flights this week...

I should be back to normal in a few days. Try not to miss me too much. ;)

More Travel This Week...

Just a quick note... I'll be on travel a the first half of this week, so I may or may not have much to post. I'm still working on recovering from RSA and compiling notes for posting a full-on reflection piece. That may get done in transit tomorrow. Or not. We'll see. :) There are actually a few topics to bounce about when I get back. First, I need some sleep and energy. :)

As an fyi, I'm sure many of you have wondered "Hey, Ben, you advocate kettlebells for exercise, yet they don't seem like they'd travel well. What do you do?" The answer is in the below link for Pavel's book "The Naked Warrior." It teaches a couple key body-weight-only exercises that you can use to continue building strength while on the road, no kettlebells required. Coupled with all the hiking around San Fran last week, I actually lost a couple pounds while my legs got stronger. Not too shabby.

Rant: Bitter About the Spin...

Good grief people, are the Clinton lovers really so desperate that they have to go into lame character assassination mode? Oh, I'm sorry, I forgot, this whole Obama vs Clinton thing is highly personal and an attack on the foundations of modern society. Whatever. People have been waiting to pounce on a little opportunity like this. Don't forget, though, that he's still in the lead.

Anyway, my own complaining aside, here's the deal: Obama is a very smart, well-educated, former professor. What some people may interpret as arrogance, particularly with the whole "bitter" quote, is in fact a projection of their own feelings or insuperiority by comparison. Don't hate or deride the man because he's smart and sometimes uses big words when he speaks. Embrace him for being a refreshing alternative to either of the other candidates. And let the guy slip up once and while. At least he wasn't lying about being under fire in Bosnia...


RSA 2008 Day 5: The End is Here

| 1 TrackBack

I'll be doing a more complete retrospective on the conference later (hopefully annotated on the flights home, and then typed quickly Sunday, if I'm allowed to do so:). Overall, Friday was a great ending to the conference, with a very light schedule (thank goodness). The highlight was the final key note by former-VP Al Gore, complete with a few hecklers. More after the jump...

This is a very brief middle-of-the-night, post-Codebreakers Bash post. Day 4 was clearly a coasting period... the vendors were all exhausted and in decline... but yet, it was a very good day. :)

RSA 2008: Day 3

| 1 TrackBack

Just a few quick notes on yesterday (my 3rd day at RSA 2008). Let me start by saying that I have a throbbing headache as I write this (hangover?)... and I'm starving, because I somehow managed not to eat anything at the 4+ receptions that I visited, so am starving to boot. Ah, yes... nothing like the conference life! :)

Greetings! I'm exhausted. :) Ok, that being said, I wanted to run down what I've been up to thus far. My feet hurt. And, for the record, it's rather chilly here, with a consistently stiff breeze (particularly cold in one's face while trying to walk uphill).

Off to RSA 2008...

I'm heading out to San Francisco early tomorrow (Sunday) morning to attend the RSA Conference 2008. I'll be attending an IAM pre-conference workshop Monday, then several newbie events that evening (this is my first time to RSA). Tues-Fri are the conference, which look to be very busy as of right now. I'll do my best to blog as I go, but no promises that anything will be timely. We shall see.

Sick Ride: Terje's First Descent

This is TOTALLY AMAZING. If you're a snowrider at all, then you'll absolutely love this video. It's a first descent on one of the sickest runs I've ever seen. He's a mad dasher, for sure.

Hat tip to The Goat.

2008 Cherry Blossom Pics Posted

Hanna and I went downtown after work on Wednesday (4/4/08) to walk around the Tidal Basin, taking in the lovely cherry blossoms. Each year I seem to take fewer pictures. Of the less than 20 that I took, I've posted an even dozen on my photos site.

The brief editorial included by Editor-in-Chief William Falk in this week's edition of "The Week" is quite amusing. Apparently a scientist in Hawaii has filed a lawsuit seeking a stop-work order against the Large Hadron Collider in Europe, because he fears that its use will cause "an irreversible implosion" that will result in "forming a miniature version of a gigantic black hole." He suggests that once a few of these mini black holes are created, they'll converge and begin to grow and suck in everything around them. Other scientists aren't too concerned, says Falk:

"Pshaw, say the particle physicists who run the collider. They've already run the equations, and any micro-black holes they might create would vanish in a nanosecond. Perhaps so. But scientists have been known to be wrong. So I suggest that starting today, we all live as if the End is near. Tell your friends and family members how you really feel about them. Leave work early. Go watch the sun set. And look at the bright side: Everything you know and love may be annihilated, but wouldn't that be a small price to pay to finally put an end to the Democratic presidential campaign?" [emphasis added]

:)

2008 Goals: March Progress Report

Well, that was a quick month! :) It seems that as I get older, if I blink, then I might just miss something significant. For those keeping track, this is my monthly recap of my goals for the year (see Jan and Feb reports). I'm providing these reports as a way to publicly motivate (or flog) myself. Hopefully you find them interesting, and maybe some day one of you will even post a comment ridiculing my pathetic efforts. :)

March was an interesting month. Hanna and the baby are continuing to do well. My application to the ATLAS PhD program at Colorado-Boulder was rejected (unsurprisingly - I didn't put my best effort into it, sadly). I was put in for a promotion at work (I should be officially a "senior security consultant" very soon). Work continued, as it's been known to do. Overall, it was an uneventful month, as best as I can tell. The only really big news was that Hanna's sister gave birth to a baby girl, while Hanna was visiting. Kind of cool. Babies seem to be en vogue, because a lot of people I know are having them this year. :)

I finished reading Terri Irwin's memoir, Steve and Me: Life with the Crocodile Hunter, on Wednesday evening. Those who know me probably know that I tend to be an emotional fellow. Well, this book certainly brought out the water works (and no, I'm not embarrassed by that). Plainly put, this is a story about a truly remarkable man, much maligned by the media, who did everything in his power to be the best exemplar of conservation, a fearless role model, and a wonderful father and husband. The strangeness of how he was lost makes the story that much more shocking. The premonitions leading up to it are even more intriguing.

Perhaps what I found most interesting about this book was that we finally get to learn more about Terri. Steve's life was so large that she often got lost in the background (I felt). In truth, she is just as much of a conservationist as he was, and had already established her professional life as such before she met him. They were a perfect match, only really differentiated by her knowing fear where he knew none.

Overall, I highly recommend this book to everybody. It has funny parts and sad parts, but it is age appropriate for everyone. The pictures in the middle are great, too.

Next up: Richard K. Morgan's Broken Angels.

Ok, forgive me, but it's soapbox time. There have been a few stories that have been irking me this week and now it's time to get them out of my head.

Our Own Little Lady

| 1 Comment

I'm pleased to announce that Hanna is carrying a very healthy, active baby girl. Before I show you pictures from today's sonogram, I'd like direct your attention to the PayPal button at right, in case you'd like to make a donation to the cause. :)

Russia's Medvedev Seems to Get It

It could be only lip service, but I find great irony in the notion that Russia's president-elect, Medvedev, seems to understand the importance of the rule of law far better than our own American president.

The Law is Overrated (apparently)

Here's a philosophical question: Is it acceptable to behave in an immoral and/or unethical manner if it is for a good cause? That is to say, if you're fighting evil, is it ok to be evil?

If you're President Bush and his cronies, the answer is apparently a resounding, unmitigated "yes." Thanks to ACLU FOIA requests, it's come to light this week that the White House not only explicitly authorized the use of torture in interrogations, but it also concluded that the American military, compromised of American citizens, directed by an American citizen as Command in Chief, are not subject to the American Constitution, to which these Americans had sworn an oath to uphold, serve, and protect. The White House claims to have disavowed that stance long ago, but it still makes me wonder what else these relativistic ethicists came up with. Nevermind that the President's power actually descends directly from the US Constitution (a minor oversight, I'm sure).

One thing is certain: as documents are exposed, there is an even clearer case for deposing and convicting this administration for impeachment, war crimes, and treason. They've violated their oaths, and should be held to account for it. Failure to hold them accountable is tantamount to saying that the rule of law is only important when it's convenient. That is an unacceptable message, with gross implications far beyond politics and national security. How are we in the security industry to expect compliance with policies and standards if the theme from the top leadership of the country is "do what you want when you want, irregardless of the requirements to which you are subject."

Best of April 1st, 2008

Hands down, my favorite observed April Fools' Day prank yesterday was for "Scanless PCI." From the site:

Quite simply, it's the fastest, least intrusive, most cost effective PCI certification on the market. Our patent-pending scanless technology is just as effective as any PCI certification on the market, but far less costly to deploy and maintain.

To that end, I of course decided to get certified, too.

Hat tip to Rich Mogull at Securosis.

My Other Pages

Support Me

Support EFF


Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10